Main menu

Tor at the Heart: Riseup.net

During the month of December, we're highlighting other organizations and projects that rely on Tor, build on Tor, or are accomplishing their missions better because Tor exists. Check out our blog each day to learn about our fellow travelers. And please support the Tor Project! We're at the heart of Internet freedom.Donate today!

Riseup.net

Riseup.net was started back in 1999 after the WTO protests in Seattle. They provide online communication tools, including email, chat, file uploads and collaborative platforms for people and groups working on liberatory social change. Riseup is a project to create democratic alternatives and to practice self-determination through the control of secure means of communication.

The Riseup collective is made up of many "birds" who believe it is vital that essential communication infrastructure be controlled by movement organizations and not by corporations or governments.

They strive to keep mail as secure and private as possible. They do not log your IP address. (Most services keep detailed records of every machine that connects to their servers. Riseup only keeps information that cannot be used to uniquely identify your machine). All of your data, including your mail, is stored by riseup.net in encrypted form. They work hard to keep their servers secure and well defended against any malicious attack. They do not share any of their user data with anyone. They actively fight all attempts to subpoena or otherwise acquire any user information or logs. They do not read, search, or process any of your incoming or outgoing mail, other than by automatic means to protect you from viruses and spam or when directed to do so by you when troubleshooting.

Some of the Riseup birds work tirelessly on building secure email infrastructure, one of them runs longclaw, one of our amazing directory authorities, and all of them are dedicated to building a better Internet—and thus, incidentally, a better world. Oh, and they also run two fast Tor exit nodes, wagtail and pipit.

In addition, for years Riseup has been providing Onion Services for each of their services. Start using them today here!

We also can't thank them enough for writing this Onion Service Best Practices Guide, helping countless users and services around the Internet to be more secure, and truly making everyone not part of a DarkWeb but rather a SecureWeb (tm).

We hope we can continue this close relationship with Riseup. So many Tor users around the world depend on them for protection. Please visit our bird friends at Riseup and support their critical work!

Thanks so much for highlighting the critical role played by Riseup in promoting democracy around the world!

As a Riseup user myself, I know how vital this resource is for activists and political dissidents everywhere--- and how strained are their coffers, so I hope Tor users who use this blog will request an account and donate to help pay for the Riseup servers.

Maybe I missed something, but did you fail to mention the fact that Tails Project extensively uses Riseup Labs for bug tracking and development collaborations?

The Tails version of Tor Browser includes a bookmark to the Riseup webmail server, which possibly should point to the onion rather than the https link. One important point about Riseup webmail: if both sender and recipient have accounts at riseup.net and do not forward emails to accounts elsewhere, it is believed that emails between them should never leave the Riseup servers at all, which could make it much harder for attackers to snoop on metadata (e.g. for traffic analysis, social networking analysis) without risking breaking into the network. This could be an enormous advantage for reporters communicating with sources, especially in cases when other communication modes are not available.

Further, since the Riseup sysadmins try to run a secure ship, even sophisticated state sponsored attackers may acknowledge that any attempts to break into the Riseup network may be noticed, or even worse for them, their malware may be captured, reverse engineered, and published with attribution! This stands in contrast to commercial providers, where security is a low priority (even worse, some commercial webmail providers claim but do not attempt to provide high security).

I hope a Riseup representative can comment on concerns among Riseup users about the fact that the warrant canary

has not been recently updated. This should be updated "approximately" every 3 months but not updated since Aug 2016. To be sure, such concerns have been expressed before, and on those occasions the canary was eventually updated, with no explanation for the delay.

However, a few months ago, the Riseup blog tweeted a reassurance which was oddly worded "no *activists* are at risk", leading to concern that Riseup has possibly been hit with an NSL or some other USG procedure accompanied by a gag order, or perhaps even that Riseup sysadmins are "operating under duress". Some replies to user emails have also been strangely worded. My latest information (some weeks old) seemed to suggest that Riseup was seeking legal advice about something, and hoping to say more after talking with their lawyers.

Micah Lee, a tech advisor to EFF and The Intercept, wrote about the rumors two weeks ago in this story at The Intercept:

@ The Intercept: please make sure your reporters's GPG keys as published at The Intercept have not expired! And reporters, please check your Riseup account inboxes. With great caution, since some users report receiving suspected phishing emails.

Regardless of the rumors, as far as I know, Riseup is one of the very few webmail providers which is likely to at least try to fight any NSL or other attempt to exploit "counterterrorism" legislation to harass political dissidents, environmentalists, scientists, technologists, journalists, social justice activists, anti-drug cartel bloggers, and many others who use Riseup.

riseup is operating under a neocommunist doctrine. If you are alright with people preaching the 'evil of fascism' where 'fascism' is some arbitrary notion of what they don't approve, then I guess you can use their services. If you are not ok with Stalin's ghost, then you should stay clear.

I bet the Riseup collective wouldn't know the difference between fascism, nationalism and nazism. So it's funny they ask for differentiation between anarchism and stalinism or whatever they call it now.

Hello ,
These "words" [anarchist,socialist,communist,fascism,etc.] are coming from an old historic culture and are not understood by young 'nation' ... so you know , the usa and his knowdledge of the politics ...
Cheers.

> So...
May i answer to you quietly ?
The 'political/historical terms' in reference were known by a struggle during few hundred of centuries and learn before during few thousand ...
A - your culture -usa- is non-existent :
How could you understand "terms" that you have not built with your blood ?
e.g. An anarchist in the usa is a tramp hiding in a train.
e.g. A socialist in the usa is a policeman who is speaking about his italian village.
e.g. A communist in the usa is someone who earns his money in the usa but spends it in cuba
B - your history -usa- is empty :
e.g. The us_ speaks between foreign civilization by a commercial agreement and it is forced not discussed and at our advantage.

> But ...
Russia & Usa are allies and trump-putin are a better solution for the peace & the development than E.U _ if you should have preferred an abandoned [lost nation ?] country without identity governed by the downiest people , why have not voted for their opponent ?
If you are a genuine or a native american (i have few doubt about that but who knows ..); you should look at that you win (a clean & strong nation) & not that you loose (the trash-rap dance-ist).

I dare you: pilot an ultralight into the courtyard of the cadet barracks at West Point Military Academy and *say that again*! :-)

Actually, this one is quite funny:

o An American anarchist is a tramp hiding in a train.

But what does it mean? Is it some kind of dig at Woody Guthrie?

I hear that Putin was sorely annoyed when Bob Dylan won a Nobel Prize, because for reasons known only to himself, he felt he should have won.

Be this as it may, your deprecation of American political dissidents begs the question: if American anarchists are such wimps, why is the FBI so frightened by them?

Assuming for the sake of argument that the feds are not also wimps (which admittedly may be the simplest explanation), one answer is that the only mission statement FBI cares about, follows closely, and is somewhat effective in fulfilling (in common with too many other agencies operated by various governments) is: "dont embarrass the agency". And the following tells the short story of a big embarrassment early in the FBI's disreputable history of failure and oppression:

Yes, you read that right--- before the truck bomb there was the horse-drawn buggy bomb. Good grief.

Anyway, at Riseup we plan marches, media stunts, that kind of thing. And the FBI always claims that they "must" [sic] spy on us all every minute because there might be *someone* somewhere who isn't satisfied with nonviolent approaches to politics. And we reply that using that kind of hypothetical, you can "justify" any oppression. Wonderful.

In short , you have not the official right to manifest _ you have not won it and no one has given it to you so you are acting illegally and for nothing (if ouba_ouba & harry_son had to do something they should have yet did that ! ).
*the political terms in reference are a right given by the congress (1897/1929/1962) & have not such importance than a struggle from at least 1000 years.
*i did not know that dylan-bob was looking for a job hiding in a train living with his misery in 1929.
*a false history/opinion from fake usa guy (or russian) even studying at west point are for useless & criminal immigrants.
*i did not know that putin the great had the ambition to be an american citizen walking on the street with his guitar singing 'i love new-york'
*Agencies do not care of the protesters , a bonus is given when someone is matched & arrested
in short , you need some education and certainly not a civilized world.

> you have not the official right to manifest _ you have not won it and no one has given it to you so you are acting illegally

I *think* you might be claiming that

o I am posting opinions which have not been sanctioned by officials of my government (or yours?)--- I'm proud to affirm that this at least is correct!

o I am implicitly asserting a universal right to free speech--- damn right I am!

o No government has offered me or anyone else such a right--- this one is wrong; you should possibly read the Bill of Rights, and then the Constitutions of some non-USA nations, many of which enunciate a universal right to free speech; you surely recognize that Tor Project is all about the universal right to free speech, so you must know you are not likely to win many adherents in this blog.

> and for nothing (if ouba_ouba & harry_son had to do something they should have yet did that !

This is sufficiently incoherent to cause me some concern that I might be trying to argue with a nonhuman "author". If not, how strange that modern technology has maneuvered a passionate defender of human rights into the worst violation of all--- expressing doubts about the humanity of a human. Good grief. Sometimes it appears literally impossible to exist in the 21st century without being not merely a criminal, but the worst kind of criminal. I can only hope that my expression of doubt about my doubt will absolve me in this instance.

> even studying at west point are for useless & criminal immigrants

So you criticize West Point for... admitting the occasional first generation immigrant?

I can think of all kinds of criticisms, but open admission of qualified candidates regardless of ethnic origin is not one of them.

> i did not know that putin the great had the ambition to be an american citizen walking on the street with his guitar singing 'i love new-york'

I notice you are not denying the rumor that Putin, like Hitler, fancies himself a meritorious artist.

> Agencies do not care of the protesters , a bonus is given when someone is matched & arrested

I *think* you might be stating, with approval, that Surveillance State operatives are given a bonus each time they deanonymize someone, leading to an arrest. No doubt, but what is your point?

> you need some education and certainly not a civilized world.

I *think* you might be stating that you want to send privacy advocates to some kind of political re-education camp, and that defenders of human rights do not deserve the benefits of civilization.

We would argue that the best of all benefits are the rights to live as a human being free to travel, associate, read, think and write freely, to own our own lives and to have the opportunity to define for ourselves who we are and what we want to be the focus of our own lives. But it seems you want to deny us all of these rights.

While their political stance troubles me, I think that a pragmatic alliance is a valid approach.
I am willing to follow the "enemy of my enemy" rule if it comes to something so benign as using a group's internet service.

And you should also mention that the real version of this page used to be quite different. The riseup team decided recently to change it into what you linked to because of the negative controversy against their original manifest, which used to be their flagship for years.

You are most likely correct that few Riseup members adhere to nationalist, much less racist or genocidal views, and those who espouse the latter are sure to be politely asked to close the door quietly as they leave.

>> riseup is operating under a neocommunist doctrine. If you are alright with people preaching the 'evil of fascism' where 'fascism' is some arbitrary notion of what they don't approve, then I guess you can use their services. If you are not ok with Stalin's ghost, then you should stay clear.

It seems you may be Russian.

I wonder whether you might be prepared to admit that a poem which Yevtushenko wrote (in English) about the unexpected (to CIA) collapse of the USSR seems newly relevant to the situation facing American dissidents after the election of the openly pro-Putin authoritarian, Donald Trump:

> We buried our icons.
> We didn't believe in our own great books.
> We fight only with alien grievances.
>
> Is it true that we didn't survive under our own
> yoke,
> Becoming for ourselves worse than our foreign
> enemies?

ISIS is awful, but to many it seems clear that US and RU regimes are far more dangerous to the average citizen living anywhere in the world, but perhaps especially to those living in US or RU.

That is what GPG is for. You can ensure that the admin of Riseup (or of the Tor Project blog. I'm not entirely sure which you meant) cannot replace what you said with anything else. They could try to censor you outright, but they could not forge your words.

Not true. For example, civil libertarians in Spain used Riseup to organize to oppose the "Vomit Law". Political dissidents use Riseup to track political corruption in Latin America and Africa. Dissidents around the world use Riseup to stay in touch.

If the moderator allows, I will explain the connection with the potential for server seizures in another comment. If the moderator permits, I hope to explain why this story, which might seem to validate your concern, should *not* deter anyone from using Riseup; quite the contrary, on the whole IMO you are unlikely to find a safer place to be an activist on-line than Riseup.

There is a connection, but the comment explaining it in detail was apparently not passed by the moderator, I don't know why not. (It is also possible, I suppose, that it vanished into the ether due to enemy interference with the connection to blog.torproject.org via Tor nodes possibly operated by an unfriendly entity such as GCHQ or GRU.)

Interested persons can search for stories about a seizure by FBI of a server operated by Riseup for MayFirst, which was first reported by Riseup itself with a clear explanation of why the consequences for Riseup itself were (fortunately) minimal. The seizure was part of a worldwide raid by FBI in which dozens of servers operating remailers were seized, in a failed attempt to stop an unknown actor who was allegedly using remailers to send bomb threats. AFAIK, no actual bombs were ever discovered, and the threats continued well after the raid.

> Did you mean that seizures of servers by US LEAs endanger activists outside the USA *more* or *less* than activists inside the USA (and thus easily arrested by those same LEAs)? If the latter, well, obviously. If the former, please explain your reasoning.

Did you mean that seizures of servers by US LEAs endanger activists outside the USA *more* or *less* than activists inside the USA (and thus easily arrested by those same LEAs)? If the latter, well, obviously. If the former, please explain your reasoning.

It is unfortunately true that activist collectives around the world frequently experience harassment, including equipment seizures and even raids by local "security authorities".

For example, a Brazilian sister to Riseup had a server seized during political unrest in that country:

>> The Saravá Group is facing the imminent threat of the seizure of its main server by the Public Prosecutor in Brazil. This action comes at a time when Brazil is hosting netmundial, a conference on the future of internet governance. Ironically, earlier this week Brazil passed legislation touted as a “Bill of Rights” for the internet. Yet only days later...

Another group with somewhat similar aims, MayFirst, had a server seized by FBI from the NYC field office in 2012 in connection with FBI's increasingly desperate attempts to identity an anonymous person who was threatening schools in another US state. Because that server was in a colocation facility where MayFirst and Riseup shared space, Riseup users were also affected (but the damage was quickly repaired; the seized server was never used again out of fear that FBI had planted an APT backdoor on it; I do not know the outcome of forensic examination which attempted to find and reverse engineer any malware planted by FBI).

>> On Wednesday, April 18, at approximately 16:00 Eastern Time, U.S. Federal authorities removed a server from a colocation facility shared by Riseup Networks and May First/People Link in New York City. The seized server was operated by the European Counter Network (“ECN”), the oldest independent internet service provider in Europe, who, among many other things, provided an anonymous remailer service, Mixmaster, that was the target of an FBI investigation into the bomb threats against the University of Pittsburgh
>> ...

(A small digression, if I may: the modern city of Pittsburgh was a wilderness sparsely populated by persons of European origin during the Washington administration. In 1791, after the Treasury Secretary, Alexander Hamilton, imposed the first major federal tax, on whisky sales, farmers in the Pittsburgh area revolted in the so-called "Whiskey Rebellion", because they relied on local sales of whisky for cash. Washington himself led an army of regulars against the rebellious Americans. Owing to a painful back injury suffered in a fall from a horse some years previously, he soon turned over command to Hamilton, who was also a U.S. Army General. The army attacked some farmhouses and eventually arrested most of the rebel leaders, as well as moderates who were trying to make peace. For some time it appeared likely that Hamilton would carry out field executions, but Washington intervened and pardoned most of the rebels. As this story shows, credible threats to American citizens from the U.S. federal government, and from the U.S. military, are hardly a novel phenomenon. And Hamilton was no saint.)

Dozens of servers in other countries (not associated with Riseup) were seized using the same warrant:

> Agents of the Federal Bureau of Investigations seized a server belonging to an Italian Internet service provider on Thursday as part of an investigation into a series of anonymous bomb threats sent to the University of Pittsburgh. But the groups associated with the operation of the server are calling the seizure an attack on Internet anonymity.

It is notable that the University of Pittsburgh continued to receive threats after this notorious worldwide raid, proving that FBI sees no ethical violation in harming innocent civilians all over the world when its absurdly vaunted reputation is endangered. The servers were eventually returned but of course they could not be used again.

Riseup itself has come under direct attack from various governments, including both governments allied with and hostile to the US government.

A well known example: during street protests against the "Vomit Law" in Spain, a misguided Spanish judge declared Riseup a "terrorist organization" under the broadly written "counter-terrorism" law which had just been enacted in Spain (the "Vomit Law" itself, the very law being protested). In that case, the US DOJ apparently decided that Riseup did not fit the (also very broad) definition of a "terrorist group" under US law.

Less well known examples include apparently stated-sponsored phishing campaigns tied to intelligence agencies maintained by UK and RU, among others.

The widely reported leak of the internal emails of the notorious Italian espionage-as-a-service company Hacking Team showed that someone using an account tied to the Czech national police had ordered up a HT malware tailored for attacking the Riseup mail server. It was not clear from those emails whether he intended to attack all Riseup users, or just one specific user, much less the reason why. It was however clear that he, like many others who hire HT, was pretty clueless about the dangerous tools they wanted to use.

MayFirst also continues to come under nasty attack from various sources. An excellent story which just appeared in ArsTechnica:

>>> “Through our e-mails and our social media accounts we get death threats all the time,” said Janisha Gabriel. “For anyone who’s involved in this type of work, you know that you take certain risks.” These aren’t the words of a politician or a prison guard but of a Web designer. Gabriel owns Haki Creatives, a design firm that specializes in building websites for social activist groups like Black Lives Matter (BLM)—and for that work strangers want to kill her.
>>> ...
>>> Since its creation, pushback against BLM has been strong in both the physical and digital world. The BLM website was taken down a number of times by DDoS attacks, which its original hosting provider struggled to deal with. Searching for a provider that could handle a high-risk client, BLM site admins discovered MayFirst, a radical tech collective that specializes in supporting social justice causes such as the pro-Palestinian BDS movement, which has similarly been a target for cyberattacks.
>>>
>>> MayFirst refers many high-profile clients to eQualit.ie, a Canadian not-for-profit organization that gives digital support to civil society and human rights groups; the group’s Deflect service currently provides distributed denial of service (DDoS) protection to the Black Lives Matter site. In a report published today, eQualit.ie has analyzed six months’ worth of attempted attacks on BLM, including a complete timeline, attack vectors, and their effectiveness, providing a glimpse behind the curtain at what it takes to keep such a site running.

A salient point about these attacks is that social media sites catering to US police officers (yes, they exist; some are even taxpayer funded!) are chock full of ugly (and badly misinformed) opinions about BLM, raising the possibility that the attackers may include (off duty?) cops or misguided supporters of the rabid Sheriff of Milwaukee County, David Clarke. Clarke has stated in numerous editorials that he believes that the USA is in a state of "civil war" (his words) between BLM and the government. Anyone who has compared recent video footage from Aleppo and Milwaukee will probably be disposed to dismiss Clarke as a lunatic, but he enjoys a large following among armed hotheads, which makes him a very dangerous in American politics. And he is apparently being considered for some high level post in the incoming Trump administration.

How should activists react to such threats? With fearful retreat? Certainly not! We must rather redouble our efforts to oppose everywhere the encroaching tide of Fascism which has spread to such formerly democratic nations as the USA and Spain.

Remember, even after Hitler became Chancellor in Germany, if more ordinary citizens had protested against his illegal actions targeting political dissidents, Gypsies, gays, disabled persons (the first mass killings exterminated institutionalized severely mentally disabled patients who were killed in the very asylums where they had been incarcerated), and Jews, Catholics, and other ethnic/religious groups, the Holocaust might never have happened. Even then, after so many disasters for civil liberties had already occurred, it might have been prevented if only more people had acted with courage and resolution.

For invaluable insight into how state sponsored genocides develop, please see:

> but the vpn are based in the usa : dangerous for non-residents.
<> you wrote a lot but nothing about in connection with the reference : are you a bit out of the reality ?
# Riseup is a nice solution and maybe almost perfect running on its own closed (between closed friend i mean) platform but the new vpn have 2 vpn based exclusively in the usa so as soon as you enter in you are under the usa laws.

> "Remember, ... resolution."
<> you do not know what you are speaking about and there are no connections with the reference * but the vpn are based in the usa : dangerous for non-residents.*

> "For ...Denial"
<> same answer see above
# it must be a female comment from the white house after the defeat.

> Riseup is a nice solution and maybe almost perfect running on its own closed (between closed friend i mean) platform but the new vpn have 2 vpn based exclusively in the usa so as soon as you enter in you are under the usa laws.

Yes, but if you and your friends all use gpg, carefully encrypted/decrypted offline, not even Riseup admins can read the contents. If you and all your friends use Riseup, your emails may never even leave the Riseup network, so to perform "traffic analysis" (for example by constructing a graph whose nodes are riseup user accounts, with an edge between each pair of users who have emailed each other), an adversary would have to compromise the Riseup network. Yes, the USG could put pressure on Riseup admins to simply let them snoop on the metadata, but even then not even NSA (probably) could read the contents.

It's not perfect but it's something.

Something which is effective enough to deeply worry the "security authorities" in various nations, it seems, all of whom want to keep a close eye on their own dissidents. But it seems you already know that!

By the way, Riseup does not discourage anyone from forming their own collective in some country they think is safer than the USA. Quite the contrary.

> And all is under survey , when i am typing even the admin could censor & replace my words by his own sentences.

Are you talking about Riseup webmail or this blog?

If the former, you can end to end encryption and then no webmail admin can alter your words. Not that I have any reason to think Riseup would ever dream of doing such a thing, or even admins at commercial providers. In most countries, that would be illegal.

Spooks on the other hand operate outside the law in every country and certainly would be happy to alter words if they have intruded into your network.

Recent Updates

Hi! There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.3.3.2-alpha from the usual place on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release some time in February.

Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.

Tor 0.3.3.2-alpha is the second alpha in the 0.3.3.x series. It introduces a mechanism to handle the high loads that many relay operators have been reporting recently. It also fixes several bugs in older releases. If this new code proves reliable, we plan to backport it to older supported release series.

Changes in version 0.3.3.2-alpha - 2018-02-10

Major features (denial-of-service mitigation):

Give relays some defenses against the recent network overload. We start with three defenses (default parameters in parentheses). First: if a single client address makes too many concurrent connections (>100), hang up on further connections. Second: if a single client address makes circuits too quickly (more than 3 per second, with an allowed burst of 90) while also having too many connections open (3), refuse new create cells for the next while (1-2 hours). Third: if a client asks to establish a rendezvous point to you directly, ignore the request. These defenses can be manually controlled by new torrc options, but relays will also take guidance from consensus parameters, so there's no need to configure anything manually. Implements ticket 24902.

Major bugfixes (netflow padding):

Stop adding unneeded channel padding right after we finish flushing to a connection that has been trying to flush for many seconds. Instead, treat all partial or complete flushes as activity on the channel, which will defer the time until we need to add padding. This fix should resolve confusing and scary log messages like "Channel padding timeout scheduled 221453ms in the past." Fixes bug 22212; bugfix on 0.3.1.1-alpha.